Windows Live Mail and Security

[richc46]

A few months ago I posted in the Mail forum about a possible security risk. We have a lot of new members, now, and its time to repost.

Windows Live Mail has a built in security flaw, it allows you to view your email, even before it is opened. The top pane shows the regular information, sender, time, etc, but in the bottom pane, the actual email is opened and can be read.

Go to view, and eliminate that bottom pane. We all know that we should not open email that we do not recognize, well that bottom pane opens it for us, allowing all kinds of nasties into our expensive computers.

I think enough said.

Is your email system secure against email viruses and attacks?
The most deadly viruses, able to cripple your email system and corporate network in minutes, are being distributed worldwide via email in a matter of hours (for example, the LoveLetter virus). Email worms and viruses can reach your system and infect your users through harmful attachments. But that's not all! Some viruses are transmitted through harmless-looking email messages and can run automatically without the need for user intervention (like the Nimda virus). Are you covered against such threats
http://www.gfi.com/emailsecuritytest/

 

[Greg S]

A few months ago I posted in the Mail forum about a possible security risk. We have a lot of new members, now, and its time to repost.

Windows Live Mail has a built in security flaw, it allows you to view your email, even before it is opened. The top pane shows the regular information, sender, time, etc, but in the bottom pane, the actual email is opened and can be read.

Go to view, and eliminate that bottom pane. We all know that we should not open email that we do not recognize, well that bottom pane opens it for us, allowing all kinds of nasties into our expensive computers.

I think enough said.

I don't get it. Unless I'm wrong, in it's default state, WinMail or Windows Live Mail does not open pictures, files or attachments. It's user initiated

 

[richc46]

The actual email is opened. Does not have to be the attachment that creates the problem.

 

[G1LLY]

Thanks richc46, changed my settings now, why would M$ do this in the first place? Seems a big step back in security, you'd think they'd wanna prevent this sort of malware distribution.

 

[richc46]

Dont know. I learned about this problem with Outlook Express in the year 2000

 

[richc46]

TY for the rep Gilly, but what really makes me happy is that you have taken the warning seriously. It would be a crime if we have all the security software and then just open the door and let these nasties in.

 

[Greg S]

TY for the rep Gilly, but what really makes me happy is that you have taken the warning seriously. It would be a crime if we have all the security software and then just open the door and let these nasties in.

rich, do you have any more info/links on this?

 

[richc46]

The only link that I have is in my head. Corrine will come by soon, if I am wrong she is not shy, she will let me know.

 

[Capt.Jack Sparrow]

Great Info Rich ! To be honest i never thought about this thanks for posting it here.

- Captain

 

[Greg S]

The only link that I have on it is in my head. Corrine will come by soon, if I am wrong she is not shy, she will let me know.

OK thanks, I'm really interested in this. Is there a post about it on Wilders?

 

[richc46]

If you believe that a virus can get into your computer without an attachment, you have to believe this.

 

[richc46]

Ty for the rep Capt. but my greatest reward is that I feel that I am really helping. So far, at least two have taken the warning.

 

[MWRed]

Ty for the rep Capt. but my greatest reward is that I feel that I am really helping. So far, at least two have taken the warning.

Make it 3....kind of.

I had this same thought run through my head one day not too long after I got Vista and installed the Live Mail client.
I changed it soon after just to be safe. I rarely open emails anyway, other than the ones that I am expecting. Good warning. Good post.

 

[Jacee]

Excellent post richc!

I hope everyone knows to only show the 'header' in what ever email client they use.

Tools for Detecting Spoofed Email Headers : Information Security Resources

 

[Phone Man]

I also read about that many years ago and have always turned of the preview pane. Don't remember where I read it but at the time it made sense .

Jim

 

[richc46]

As an added note. I am using WLM, and made reference to that program in my first post. Of course, all email clients with similar features would be affected in the same way.

 

[Corrine]

The only link that I have is in my head. Corrine will come by soon, if I am wrong she is not shy, she will let me know.

Apologies that I didn't come by "soon". I've been tied up dealing with glitches at another site after the forum was converted from IPB to SMF.

With Windows Live Mail, the default setup includes the Reading pane which provides information about the message/sender without opening it. To disable the Reading pane:

• Use the keyboard shortcut ALT + M or click on the Menu icon in the upper right corner next to the Help icon.
• Select Layout
• Uncheck "Show the reading pane".
• Click Apply/OK.

 

[Corrine]

If you use Windows Live Mail Beta, you'll find the option to hide the Reading pane under View. Click the Reading pane in the Ribbon and select Off.

 

[poppa bear]

Preview Pane

I personally have been using Preview Pane since the year dot, and never had a problem with it. However, I decided to check it out with Microsoft, and sent them a link to this thread. This is the text of their official reply, which pretty much confirms what I already thought:

In reviewing the details of your email I would suggest that the poster is suggesting the optimal settings from a security point of view, this may not however be optimal from a usability point of view.

The actual threat, which this mitigates is comparatively rare and your antivirus and antimalware protection should catch most threats that might slip through. There are also other protective measures in Outlook and most newer browsers, as well as Vista and Windows 7, which depending on the threat, may also minimise any impact. You always need layers of security, and if anyone was to think that by turning off the preview feature they were dramatically improving their level of protection, I’d suggest they need to consider other more effective measures.

All in all, whilst his posting is technically correct, I think it overstates the threat and doesn’t mention the other security measures which would protect you from an attack here.

Personally I always turn off the preview function, but I’m a paranoid security guy that is happy to sacrifice a lot of functionality just to be sure.

I agree with his point of view. My incoming mail in Windows Live Mail is protected by:

• Avast Anti-virus which monitors incoming emails - and outgoing if desired.

• SPAM and Phishing Filter in the WinLiveMail program; as well as the option to restrict incoming mail to my contacts list, or to persons I have replied to.

Why would anyone allow an unknown random email to be downloaded in the first place??? Do you think you're missing the chance to inherit a couple of million $$$$ from an anonymous recently deceased benefactor in Bangladesh, who wishes to bequeath his estate to a stranger because he has no family or friends?
​

• On the menu bar go to: Tools --> Options --> Read --> Untick: Automatically download message when reading in the Preview Pane. You'll still see the message in the preview pane because it's already on the web site of your ISP.

• A SPAM filter on the web site of my ISP.

• Real time anti-malware and anti-spyware programs.

The only time I ever got infected from an email - and I send/receive mega emails - was years ago when I didn't have any real time protection. I had complained to my ISP after they over charged me, and threatened them with legal action. When their reply email came I eagerly opened it, and BAM! Silly me! Even so, not a big deal. My AV program repaired it. And if that failed I had a Norton Ghost back-up image of my whole operating system.

So what's the big fuss? If you hide behind high walls, they keep threats out, but also keep you locked in.

Hope this puts a proper perspective on this minimal security threat.

 

[Greg S]

Hmm, interesting and with that, Long live the Preview pane. With Professional and higher versions of Win 7, one can set/enable in Group Policy to Notify antivirus programs when opening attachments which covers the preview pane. As far as that goes, Home Premium users can do the same with an edit to the Registry. In doing so, one doesn't have to have an extra dedicated shield running for Email. I researched this Preview Pane vulnerability and came up with nothing other than one for Outlook Express. Even that was mis-leading because the vulnerability was not actually in OE but in Internet Explorer 5.0. It was patched with version 5.01. It may be good practice to disable the Preview Pane but personally, I'm not. Anywho, thanks PB for presenting this extra info from MS rep.

I personally have been using Preview Pane since the year dot, and never had a problem with it. However, I decided to check it out with Microsoft, and sent them a link to this thread. This is the text of their official reply, which pretty much confirms what I already thought:

In reviewing the details of your email I would suggest that the poster is suggesting the optimal settings from a security point of view, this may not however be optimal from a usability point of view.

The actual threat, which this mitigates is comparatively rare and your antivirus and antimalware protection should catch most threats that might slip through. There are also other protective measures in Outlook and most newer browsers, as well as Vista and Windows 7, which depending on the threat, may also minimise any impact. You always need layers of security, and if anyone was to think that by turning off the preview feature they were dramatically improving their level of protection, I’d suggest they need to consider other more effective measures.

All in all, whilst his posting is technically correct, I think it overstates the threat and doesn’t mention the other security measures which would protect you from an attack here.




Personally I always turn off the preview function, but I’m a paranoid security guy that is happy to sacrifice a lot of functionality just to be sure.

I agree with his point of view. My incoming mail in Windows Live Mail is protected by:

• Avast Anti-virus which monitors incoming emails - and outgoing if desired.

• SPAM and Phishing Filter in the WinLiveMail program; as well as the option to restrict incoming mail to my contacts list, or to persons I have replied to.

Why would anyone allow an unknown random email to be downloaded in the first place??? Do you think you're missing the chance to inherit a couple of million $$$$ from an anonymous recently deceased benefactor in Bangladesh, who wishes to bequeath his estate to a stranger because he has no family or friends?
​

• On the menu bar go to: Tools --> Options --> Read --> Untick: Automatically download message when reading in the Preview Pane. You'll still see the message in the preview pane because it's already on the web site of your ISP.

• A SPAM filter on the web site of my ISP.

• Real time anti-malware and anti-spyware programs.

The only time I ever got infected from an email - and I send/receive mega emails - was years ago when I didn't have any real time protection. I had complained to my ISP after they over charged me, and threatened them with legal action. When their reply email came I eagerly opened it, and BAM! Silly me! Even so, not a big deal. My AV program repaired it. And if that failed I had a Norton Ghost back-up image of my whole operating system.

So what's the big fuss? If you hide behind high walls, they keep threats out, but also keep you locked in.

Hope this puts a proper perspective on this minimal security threat.